[ad_1]
This weblog was written by Vallabh Chole & Oliver Devane
Through the years, the cybersecurity trade has seen many threats get taken down, such because the Emotet takedown in January 2021. It doesn’t normally take lengthy for an additional menace to try to fill the hole left by the takedown. Hancitor is one such menace.
Like Emotet, Hancitor can ship Malspams to unfold itself and infect as many customers as doable. Hancitor’s important objective is to distribute different malware akin to FickerStealer, Pony, CobaltStrike, Cuba Ransomware and Zeppelin Ransomware. The dropped Cobalt Strike beacons can then be used to maneuver laterally across the contaminated surroundings and in addition execute different malware akin to ransomware.
This weblog will give attention to a brand new approach utilized by Hancitor created to forestall crawlers from accessing malicious paperwork used to obtain and execute the Hancitor payload.
The an infection movement of Hancitor is proven beneath:
A sufferer will obtain an electronic mail with a pretend DocuSign template to entice them to click on a hyperlink. This hyperlink leads him to feedproxy.google.com, a service that works much like an RSS Feed and allows website house owners to publish website updates to its customers.
When accessing the hyperlink, the sufferer is redirected to the malicious website. The positioning will examine the Consumer-Agent of the browser and if it’s a non-Home windows Consumer-Agent the sufferer will probably be redirected to google.com.
If the sufferer is on a home windows machine, the malicious website will create a cookie utilizing JavaScript after which reload the location.
The code to create the cookie is proven beneath:
The above code will write the Timezone to worth ‘n’ and the time offset to UTC in worth ‘d’ and set it into cookie header for an HTTP GET Request.
For instance, if this code is executed on a machine with timezone set as BST the values can be:
d = 60
n = “Europe/London”
These values could also be used to forestall additional malicious exercise or deploy a special payload relying on geo location.
Upon reloading, the location will examine if the cookie is current and whether it is, it’ll current them with the malicious doc.
A WireShark seize of the malicious doc which incorporates the cookie values is proven beneath:
The doc will immediate them to allow macros and, when enabled, it’ll obtain the Hancitor DLL after which load it with Rundll32.
Hancitor will then talk with its C&C and deploy additional payloads. If operating on a Home windows area, it’ll obtain and deploy a Cobalt Strike beacon.
Hancitor can even deploy SendSafe which is a spam module, and this will probably be used to ship out malicious spam emails to contaminate extra victims.
Conclusion
With its capacity to ship malicious spam emails and deploy Cobalt Strike beacons, we consider that Hancitor will probably be a menace intently linked to future ransomware assaults very similar to Emotet was. This menace additionally highlights the significance of regularly monitoring the menace panorama in order that we will react shortly to evolving threats and defend our prospects from them.
IOCs, Protection, and MITRE
IOCs
IOC
Sort
IOC
Protection
Content material Model
Malicious Doc
SHA256
e389a71dc450ab4077f5a23a8f798b89e4be65373d2958b0b0b517de43d06e3b
W97M/Dropper.hx
4641
Hancitor DLL
SHA256
c703924acdb199914cb585f5ecc6b18426b1a730f67d0f2606afbd38f8132ad6
Trojan-Hancitor.a
4644
Area internet hosting Malicious Doc
URL
http[:]//onyx-food[.]com/coccus.php
RED
N/A
Area internet hosting Malicious Doc
URL
http[:]//feedproxy[.]google[.]com/~r/ugyxcjt/~3/4gu1Lcmj09U/coccus.php
RED
N/A
Mitre
Method ID
Tactic
Method particulars
T1566.002
Preliminary Entry
Spam mail with hyperlinks
T1204.001
Execution
Consumer Execution by opening hyperlink.
T1204.002
Execution
Executing downloaded doc
T1218
Defence Evasion
Signed Binary Execution Rundll32
T1055
Defence Evasion
Downloaded binaries are injected into svchost for execution
T1482
Discovery
Area Belief Discovery
T1071
C&C
HTTP protocol for communication
T1132
C&C
Information is base64 encoded and xored
x3Cimg top=”1″ width=”1″ model=”show:none” src=”https://www.fb.com/tr?id=766537420057144&ev=PageView&noscript=1″ />x3C/noscript>’);
[ad_2]